Hackers use fake crypto job offers to push info-stealing malware

A campaign operated by Russian threat actors uses fake job offers to target Eastern Europeans working in the cryptocurrency industry, aiming to infect them with a modified version of the Stealerium malware named 'Enigma.'

According to Trend Micro, which has been tracking the malicious activity, the threat actors use a set of heavily obfuscated loaders that exploits an old Intel driver flaw to reduce the token integrity of Microsoft Defender and bypass protections.

Targeting victims

The attacks start with an email pretending to be a job offer with fake cryptocurrency interviews to lure their targets. The emails have a RAR archive attachment which contains a TXT ("interview questions.txt") and an executable ("interview conditions.word.exe").

The text file contains interview questions written in Cyrillic, which follow a standard format and are made to appear legitimate.

If the victim is tricked into launching the executable, a chain of payloads is executed that eventually downloads the Enigma information-stealing malware from Telegram.

Attack chain diagram (Trend Micro)

The first-stage downloader is a C++ tool that uses techniques like API hashing, string encryption, and irrelevant code to evade detection while downloading and launching the second-stage payload, "UpdateTask.dll."

The second-stage payload, also written in C++, uses the "Bring Your own Vulnerable Driver" (BYOVD) technique to exploit the CVE-2015-2291 Intel vulnerability. This Intel driver flaw allows commands to be executed with Kernel privileges.

The threat actors abuse this vulnerability to disable Microsoft Defender before the malware downloads the third payload.

Defender's token integrity modification (Trend Micro)

The third-stage downloads the final payload, Enigma Stealer, from a private Telegram channel, which Trend Micro says is a modified version of Stealerium, an open-source information-stealing malware.

Enigma targets system information, tokens, and passwords stored in web browsers like Google Chrome, Microsoft Edge, Opera, and more. Additionally, it targets data stored in Microsoft Outlook, Telegram, Signal, OpenVPN, and other apps.

Enigma can also capture screenshots from the compromised system and extract clipboard content or VPN configurations.

Enigma's stealing logic (Trend Micro)

Finally, all stolen data is compressed in a ZIP archive ("Data.zip") and sent back to the threat actors via Telegram.

Some of Enigma's strings, such as web browser paths and Geolocation API services URLs, are encrypted with the AES algorithm in cipher-block chaining (CBC) mode, likely to conceal the data and prevent unauthorized access or tampering.

String encryption logic (Trend Micro)

Attribution

Trend Micro has not assigned attribution with strong confidence but discovered several elements that may indicate a Russian threat actor is behind the attacks.

The first clue is that one of the logging servers used in this campaign to track the execution flow of active infections hosts an Amadey C2 panel, which is quite popular in Russian cybercrime forums.

Second, the server runs "Deniska," a special-purpose Linux system only referenced in Russian-speaking forums.

Finally, the server's default time zone is set to Moscow, another indicator that the threat actors are Russian.

It is more common to see North Korean threat actors operate campaigns promoting fake job offers targeting people working in the fin-tech industry. So, seeing Russians adopting this theme is an interesting development.